This is an old revision of the document!
Setting up an IPSEC tunnel
This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.
If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, we highly recommend you use a GRE tunnel documented here: GRE tunnelling your filtered IP.
If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: Redirecting your filtered IP.
Supported Operating Systems
All operating systems with IPSEC support are, you guessed it, supported.
We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs.
Please note, if you're setting this up on an OpenVZ with us, you must use a 64bit based template.
- iptables installed on your BuyVM VPS (included already in most cases)
- A 64bit based distribution if you're doing this on OpenVZ. This can't be stressed enough and will not work on a 32bit distribution (for the time being).
First you must install openswan & xl2tpd.
apt-get update apt-get install openswan xl2tpd
Note: During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.
yum -y install xl2tpd openswan
/etc/ipsec.conf with your favorite editor. Replace the entire contents with the following:
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!172.16.8.0/24 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey conn %default authby=secret pfs=no auto=add keyingtries=3 rekey=no ikelifetime=8h keylife=1h type=transport leftprotoport=17/1701 rightprotoport=17/%any conn L2TP-PSK-NAT rightsubnet=vhost:%priv left=YOUR_BUYVM_IP conn L2TP-PSK-noNAT left=YOUR_BUYVM_IP right=%any
Make sure you update
YOUR_BUYVM_IP with your BuyVM IP.
/etc/xl2tpd/xl2tpd.conf with your favorite editor. Replace the entire contents with the following:
[global] ;listen-addr = 127.0.0.1 ; Global parameters: port = 1701 ; * Bind to port 1701 auth file = /etc/xl2tpd/l2tp-secrets ; * Where our challenge secrets are access control = no ; * Refuse connections without IP match rand source = dev ; Source for entropy for random [lns default] ; Our fallthrough LNS definition exclusive = yes ; * Only permit one tunnel per host ip range = 10.1.0.2 - 10.1.0.100 local ip = 10.1.0.1 refuse authentication = yes ; * Refuse authentication altogether refuse pap = yes ; * Refuse PAP authentication refuse chap = yes ppp debug = no ; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file
Optional: Update the
ip range &
local ip to fit your needs.
/etc/ppp/options.l2tpd with your favorite editor. Replace the entire contents with the following:
# Do not support BSD compression. nobsdcomp passive lock # Allow all usernames to connect. name * proxyarp ipcp-accept-local ipcp-accept-remote lcp-echo-failure 10 lcp-echo-interval 5 nodeflate # Do not authenticate incoming connections. This is handled by IPsec. noauth refuse-chap refuse-mschap refuse-mschap-v2 # Set the DNS servers the PPP clients will use. ms-dns 188.8.131.52 mtu 1400 mru 1400
/etc/ipsec.secrets with your favorite editor. Replace the entire contents with the following:
YOUR_BUYVM_IP %any: "mysecretpresharedkeypassword"
mysecretpresharedkeypassword is the
shared key you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.
Allow traffic to route out your VPS
As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:
iptables -A POSTROUTING -t nat -s 10.0.0.0/8 -j SNAT --to-source YOUR_BUYVM_IP
Apply the configuration files
You must now restart the
/etc/init.d/ipsec restart /etc/init.d/xl2tpd restart
Client side configuration
From here you must configure your client side.
For a good Windows 2008/2012/7/8 guide, please check out http://www.x4b.net/wiki/WindowsVPNConnecting. Follow all the steps except 9 & 10 as it's specific to their platform.